IETF Logo Mail Archive

Re: [secdir] Secdir early review of draft-ietf-bfd-optimizing-authentication-16

Jeffrey Haas <jhaas@pfrc.org> Mon, 01 July 2024 20:08 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B7BBC169402; Mon, 1 Jul 2024 13:08:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3KUlUZGPS6Q5; Mon, 1 Jul 2024 13:08:14 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 5EAE3C14F704; Mon, 1 Jul 2024 13:08:09 -0700 (PDT)
Received: from smtpclient.apple (172-125-100-52.lightspeed.livnmi.sbcglobal.net [172.125.100.52]) by slice.pfrc.org (Postfix) with ESMTPSA id DEB9D1E039; Mon, 1 Jul 2024 16:08:08 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Subject: Re: [secdir] Secdir early review of draft-ietf-bfd-optimizing-authentication-16
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <995db625-af61-4839-abd2-49b217b865cc@huitema.net>
Date: Mon, 01 Jul 2024 16:08:08 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <FF0F3A60-2952-48B7-BC6A-E3F6894B3EFA@pfrc.org>
References: <171863246380.36317.13945608266304472653@ietfa.amsl.com> <F52920D3-7C84-4754-9625-0656EB6EE442@pfrc.org> <5d78a447-4214-4c00-b192-bbb532784256@cs.tcd.ie> <995db625-af61-4839-abd2-49b217b865cc@huitema.net>
To: Christian Huitema <huitema@huitema.net>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Message-ID-Hash: VGIEJ4RSM5UYY3YPB4ALJCTNUL356VKJ
X-Message-ID-Hash: VGIEJ4RSM5UYY3YPB4ALJCTNUL356VKJ
X-MailFrom: jhaas@pfrc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rtg-bfd.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, secdir@ietf.org, draft-ietf-bfd-optimizing-authentication.all@ietf.org, rtg-bfd@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection" <rtg-bfd.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/ENECBs8iyKXT7nF5VoWcA0wbdjU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Owner: <mailto:rtg-bfd-owner@ietf.org>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Subscribe: <mailto:rtg-bfd-join@ietf.org>
List-Unsubscribe: <mailto:rtg-bfd-leave@ietf.org>

Christian,


> On Jul 1, 2024, at 3:38 PM, Christian Huitema <huitema@huitema.net> wrote:
> 
> The issue of selective authentication is interesting. After reviewing draft-ietf-bfd-stability-13, we had some discussion of attacks made possible by spoofing BFD packets, and specifically spoofing their sequence numbers. I was under the impression that for a given association, all packets will have the same authentication -- MD5, SHA1, or NULL. There maybe ways to improve robustness of "NULL" sessions if a fraction of the packets are authenticated, but that would require some explicit study.

The cluster of the optimizing authentication, "secure sequence numbers", and "stability" drafts have spent time passing ideas back and forth over the years they've been getting worked on.  Stability has been the easiest one to think through since it's always been "just count missing packets".

Originally, null authentication was considered as an option for the optimizing draft in addition to the secure sequence numbers option.  However, when the analysis concluded that NULL authentication could be used as an attack on the session, it was removed. This left only secure sequence numbers as the optimized option.

Very similarly, the original idea of the secure sequence numbers draft had been to use a deterministic but apparently random number sequence to replace the sequence number field in an otherwise "no authentication" BFD session.  In that case, there were two points recognized that caused us to alter the proposal to the current version:
- Getting the ISAAC mechanism into sync so that it was clear how the generated values appropriately aligned was challenging, especially in circumstances where packet drop might be possible.  Fix: Use existing sequence numbers for coordination, make the output of ISAAC the authentication value.
- Toggling between BFD authentication types meant that a possible failure modality was BFD could come up for the strong authentication method and then fail when the optimized algorithm method was used.  Fix: Authentication codes are now the pair of the strong and the optimized algorithm.

Returning to your observation, the "NULL" method has potential to similarly leverage a paired strong/optimized authentication code for periodic authentication... but that doesn't address any of the shorter lived attacks.  More importantly, NULL is intended to be leveraged by operators in the same environment that would otherwise not be provisioning authentication in the first place.  The CPU may simply not be available for any security.  

If you have available CPU, leverage the optimized procedures for your "strong" cipher of choice, including MD5, and ISAAC for the optimized form.  We do say that BFD authentication that protects the session is RECOMMENDED.  The challenge was dealing with the situations where it wasn't practicable.

-- Jeff

> 
> -- Christian Huitema

v2.31.3 | Report a Bug | By Email | System Status